Upgrade to Pro — share decks privately, control downloads, hide ads and more …

«Тестирование безопасности GraphQL», Егор Богомолов, Wallarm

OWASP Moscow
December 06, 2019

«Тестирование безопасности GraphQL», Егор Богомолов, Wallarm

Видео https://www.youtube.com/watch?v=cb_Hc6GTi5A

Встреча Московского отделения OWASP, 6.12.2019 (https://www.meetup.com/OWASP-Moscow/events/266925142/)

OWASP Moscow

December 06, 2019
Tweet

More Decks by OWASP Moscow

Other Decks in Programming

Transcript

  1. Instruments Prints the GraphQL schema SDL from a GraphQL schema

    JSON introspection: Link: https://github.com/potatosalad/graphql-introspection-json-to-sdl Generate queries from GraphQL schema: Link: https://github.com/timqian/gql-generator A beautiful feature-rich GraphQL Client for all platforms: Link: https://altair.sirmuel.design/ Graphqler (Helps in security testing GraphQL applications): Link: https://github.com/sorokinpf/graphqler
  2. GraphQL Batching Attack GraphQL is designed in a way that

    allows you to write clean code on the server, where every field on every type has a focused single-purpose function for resolving that value. However without additional consideration, a naive GraphQL service could be very "chatty" or repeatedly load data from your databases. This is commonly solved by a batching technique, where multiple requests for data from a backend are collected over a short period of time and then dispatched in a single request to an underlying database or microservice by using a tool like Facebook's DataLoader.
  3. 1 2 3 What’s the problem? Not all implementations follow

    the specification It gives you the opportunity to bypass information security systems Some operations must set a hit limit